Skip to main content

Kargo Takip CVE-2026-12095

| EUVDEUVD-2026-38670 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-24 Wordfence GHSA-mjcx-qfvm-369j
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
8.6 HIGH

Unauthenticated network SSRF with scope change to internal services; raised C to H because echoed 'auth' field directly exfiltrates credentials, no integrity/availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 06:55 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
HIGH 7.2

DescriptionCVE.org

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints.

AnalysisAI

Server-side request forgery in the Kargo Takip WordPress plugin (versions through 1.2) allows unauthenticated remote attackers to coerce the site into issuing arbitrary HTTP requests via the 'api_url' parameter and to exfiltrate data from internal services. Because the plugin echoes the value of any 'auth' key from the JSON response back to the attacker, it enables direct retrieval of sensitive responses such as cloud instance metadata credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Kargo Takip
Delivery
Send GET to decodeandview.php with malicious api_url
Exploit
Server fetches internal metadata endpoint
Execution
Plugin echoes JSON 'auth' field in response
Persist
Attacker harvests cloud credentials
Impact
Pivot into cloud account

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the Kargo Takip plugin (version ≤ 1.2) be installed and active on a network-reachable WordPress site, and that the attacker can reach the plugin's decodeandview.php endpoint with a controllable 'api_url' query parameter - no authentication, no user interaction, and no non-default configuration is needed (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (7.2 High) is consistent with the description: unauthenticated, network-reachable, low complexity, and a scope change because the vulnerable WordPress process can reach internal systems outside its security authority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a single HTTP request to the public WordPress site invoking decodeandview.php with api_url=http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>, causing the server to fetch the cloud instance metadata response and echo the JSON 'auth' field - containing temporary AWS credentials - back in the HTTP response. The attacker then uses those credentials from their own host to pivot into the victim's cloud account. …
Remediation No vendor-released patch identified at time of analysis - the references point to the current trunk source of the vulnerable file, not a tagged fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using Kargo Takip plugin; disable and remove the plugin immediately from all installations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy